Thursday, January 5, 2017

Reflected XSS in Etsy

Last month, I found a Reflected XSS in Etsy and received a bounty + swag. I found the XSS by browsing the mobile version (you can achieve this by changing your user agent to mobile) of Etsy. The vulnerable URL is https://www.etsy.com/teams/ and to reproduce the XSS, just enter an XSS payload in the searchbar and the XSS will execute. Etsy security team fixed this within a day and the response time was one week (because of weekends). The bug was worth $500

 POC:


Bounty:




 That's all... Thanks.